test: Integrate custom selinux relabelling unit with firstboot

diff --git a/test/units/autorelabel.service b/test/units/autorelabel.service
index 7e5f9a2b89bdc9ad8805ad9038d3960c72689edb..fd652225d9eabf4be46248947c58f0c9be7e2673 100644 (file)
--- a/test/units/autorelabel.service
+++ b/test/units/autorelabel.service
@@ -3,9 +3,14 @@
 Description=Relabel all filesystems
 DefaultDependencies=no
 Requires=local-fs.target
-Conflicts=shutdown.target
 After=local-fs.target
-Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=multi-user.target
+# Needs to access /var, which may not have been populated yet
+After=systemd-tmpfiles-setup.service
+# Must wait for systemd-machine-id-commit or firstboot-autorelabel will reactivate autorelabel
+After=systemd-machine-id-commit.service
 ConditionSecurity=selinux
 ConditionPathExists=|/.autorelabel
 
@@ -16,4 +21,4 @@ TimeoutSec=infinity
 RemainAfterExit=yes
 
 [Install]
-WantedBy=basic.target
+WantedBy=multi-user.target

diff --git a/test/units/firstboot-autorelabel.service b/test/units/firstboot-autorelabel.service
new file mode 100644 (file)
index 0000000..b69dcf7
--- /dev/null
+++ b/test/units/firstboot-autorelabel.service
@@ -0,0 +1,20 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+[Unit]
+Description=Activate relabelling on firstboot only
+DefaultDependencies=no
+Wants=first-boot-complete.target
+Requires=local-fs.target
+After=local-fs.target
+Conflicts=shutdown.target
+Before=shutdown.target
+Before=first-boot-complete.target sysinit.target autorelabel.service
+ConditionPathIsReadWrite=/etc
+ConditionFirstBoot=yes
+
+[Service]
+ExecStart=touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target